topic ProCurve manager hardening - port 51111 in PCMhttp://h30499.www3.hp.com/t5/PCM/ProCurve-manager-hardening-port-51111/m-p/6485158#M656
<P>Hello all,</P>
<P>&nbsp;</P>
<P>During PCI audit we have such request from auditors:</P>
<P>&nbsp;</P>
<P>xxx.xxx.xxx.xxx 51111 Unique Test &nbsp; Issue: Weak hash algorithms active&nbsp; Measure:&nbsp; Use strong hash algorithms</P>
<P>&nbsp;</P>
<P>xxx.xxx.xxx.xxx 51111 Unique Test &nbsp; Issue: Weak encryption ciphers active Measure:&nbsp; Deactivate weak ciphers</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>On this ports works PCM agent. According technical literature this alert is caused by self-signed certificate produced from PCM.</P>
<P>&nbsp;</P>
<P>Do you have an information - is it possible to use external CA signed certificate for PCM agent?</P>
<P>&nbsp;</P>
<P>Or can I request statement from HP that it is not possible to change and it is not an issue.</P>
<P>&nbsp;</P>
<P>Thank you in advance!</P>
<P>&nbsp;</P>
<P>P.S. This thread has been moved from&nbsp;ProCurve / ProVision-Based to &nbsp;PCM. -HP Forum Moderator</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</P>Mon, 26 May 2014 02:05:06 GMTpgyuzelev2014-05-26T02:05:06ZProCurve manager hardening - port 51111http://h30499.www3.hp.com/t5/PCM/ProCurve-manager-hardening-port-51111/m-p/6485158#M656
<P>Hello all,</P>
<P>&nbsp;</P>
<P>During PCI audit we have such request from auditors:</P>
<P>&nbsp;</P>
<P>xxx.xxx.xxx.xxx 51111 Unique Test &nbsp; Issue: Weak hash algorithms active&nbsp; Measure:&nbsp; Use strong hash algorithms</P>
<P>&nbsp;</P>
<P>xxx.xxx.xxx.xxx 51111 Unique Test &nbsp; Issue: Weak encryption ciphers active Measure:&nbsp; Deactivate weak ciphers</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>On this ports works PCM agent. According technical literature this alert is caused by self-signed certificate produced from PCM.</P>
<P>&nbsp;</P>
<P>Do you have an information - is it possible to use external CA signed certificate for PCM agent?</P>
<P>&nbsp;</P>
<P>Or can I request statement from HP that it is not possible to change and it is not an issue.</P>
<P>&nbsp;</P>
<P>Thank you in advance!</P>
<P>&nbsp;</P>
<P>P.S. This thread has been moved from&nbsp;ProCurve / ProVision-Based to &nbsp;PCM. -HP Forum Moderator</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</P>Mon, 26 May 2014 02:05:06 GMThttp://h30499.www3.hp.com/t5/PCM/ProCurve-manager-hardening-port-51111/m-p/6485158#M656pgyuzelev2014-05-26T02:05:06ZRe: ProCurve manager hardening - port 51111http://h30499.www3.hp.com/t5/PCM/ProCurve-manager-hardening-port-51111/m-p/6485786#M657
<P>It doesn't appear to support external certificates. If you update to the latest version and regenerate the certificate , it might generate a longer key/better algorithm by default. However I am only guesssing.</P><P>&nbsp;</P><P>What I would do is:</P><P>&nbsp;</P><P>1. If you have paid support, open a proper ticket. If you have the paid for PCM+, that is.</P><P>&nbsp;</P><P>2. Consider a plan to migrate off PCM, as it's heading for EOL. I imagine the auditors will be less than happy if they find an issue with it and it's unsupported software.</P><P>&nbsp;</P><P>&nbsp;</P>Sat, 24 May 2014 09:31:22 GMThttp://h30499.www3.hp.com/t5/PCM/ProCurve-manager-hardening-port-51111/m-p/6485786#M657Richard Brodie_12014-05-24T09:31:22ZRe: ProCurve manager hardening - port 51111http://h30499.www3.hp.com/t5/PCM/ProCurve-manager-hardening-port-51111/m-p/6486620#M658
<P>&gt;this alert is caused by self-signed certificate produced from PCM.</P><P>&nbsp;</P><P>Did it have any details about what was wrong?&nbsp; Typically if there is an issue with self-signed vs CA, it would say that.</P><P>Not "weak hash algorithms" or "weak encryption ciphers".&nbsp; A certificate does have a encryption key length but again, it ideally should mention that.</P><P>&nbsp;</P><P>This means these are controlled by the software, not the certificate.</P><P>&nbsp;</P><P>If you would like an analysis of your certificate, you can attach it on a reply.</P><P>&nbsp;</P><P>&gt;... it is not an issue.</P><P>&nbsp;</P><P>I would assume it's an issue, unless your management network is behind a firewall.</P>Mon, 26 May 2014 03:19:14 GMThttp://h30499.www3.hp.com/t5/PCM/ProCurve-manager-hardening-port-51111/m-p/6486620#M658Dennis Handly2014-05-26T03:19:14Z